1### 2### A domain for further sandboxing the PrebuiltGMSCore app. 3### 4typeattribute gmscore_app coredomain; 5 6app_domain(gmscore_app) 7 8allow gmscore_app sysfs_type:dir search; 9# Read access to /sys/block/zram*/mm_stat 10r_dir_file(gmscore_app, sysfs_zram) 11 12r_dir_file(gmscore_app, rootfs) 13 14# Allow GMS core to open kernel config for OTA matching through libvintf 15allow gmscore_app config_gz:file { open read getattr }; 16 17# Allow GMS core to communicate with update_engine for A/B update. 18binder_call(gmscore_app, update_engine) 19allow gmscore_app update_engine_service:service_manager find; 20 21# Allow GMS core to communicate with dumpsys storaged. 22binder_call(gmscore_app, storaged) 23allow gmscore_app storaged_service:service_manager find; 24 25# Allow GMS core to access system_update_service (e.g. to publish pending 26# system update info). 27allow gmscore_app system_update_service:service_manager find; 28 29# Allow GMS core to communicate with statsd. 30binder_call(gmscore_app, statsd) 31 32# Allow GMS core to receive Perfetto traces through the framework 33# (i.e. TracingServiceProxy) and sendfile them into its private directory 34# for reporting when network and battery conditions are appropriate. 35allow gmscore_app perfetto:fd use; 36allow gmscore_app perfetto_traces_data_file:file { read getattr }; 37 38# Allow GMS core to generate unique hardware IDs 39allow gmscore_app keystore:keystore_key gen_unique_id; 40allow gmscore_app keystore:keystore2_key gen_unique_id; 41 42# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check 43allow gmscore_app selinuxfs:file r_file_perms; 44 45# suppress denials for non-API accesses. 46dontaudit gmscore_app exec_type:file r_file_perms; 47dontaudit gmscore_app device:dir r_dir_perms; 48dontaudit gmscore_app fs_bpf:dir r_dir_perms; 49dontaudit gmscore_app kernel:security *; 50dontaudit gmscore_app net_dns_prop:file r_file_perms; 51dontaudit gmscore_app proc:file r_file_perms; 52dontaudit gmscore_app proc_interrupts:file r_file_perms; 53dontaudit gmscore_app proc_modules:file r_file_perms; 54dontaudit gmscore_app proc_net:file r_file_perms; 55dontaudit gmscore_app proc_stat:file r_file_perms; 56dontaudit gmscore_app proc_version:file r_file_perms; 57dontaudit gmscore_app sysfs:dir r_dir_perms; 58dontaudit gmscore_app sysfs:file r_file_perms; 59dontaudit gmscore_app sysfs_android_usb:file r_file_perms; 60dontaudit gmscore_app sysfs_dm:file r_file_perms; 61dontaudit gmscore_app sysfs_loop:file r_file_perms; 62dontaudit gmscore_app sysfs_net:file r_file_perms; 63dontaudit gmscore_app sysfs_net:dir r_dir_perms; 64dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms; 65dontaudit gmscore_app mirror_data_file:dir search; 66dontaudit gmscore_app mnt_vendor_file:dir search; 67 68# Access the network 69net_domain(gmscore_app) 70 71# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7) 72allow gmscore_app self:process ptrace; 73 74# Allow loading executable code from writable priv-app home 75# directories. This is a W^X violation, however, it needs 76# to be supported for now for the following reasons. 77# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367) 78# 1) com.android.opengl.shaders_cache 79# 2) com.android.skia.shaders_cache 80# 3) com.android.renderscript.cache 81# * /data/user_de/0/com.google.android.gms/app_chimera 82# TODO: Tighten (b/112357170) 83allow gmscore_app privapp_data_file:file execute; 84 85# Chrome Crashpad uses the the dynamic linker to load native executables 86# from an APK (b/112050209, crbug.com/928422) 87allow gmscore_app system_linker_exec:file execute_no_trans; 88 89allow gmscore_app privapp_data_file:lnk_file create_file_perms; 90 91# /proc access 92allow gmscore_app proc_vmstat:file r_file_perms; 93 94# Allow interaction with gpuservice 95binder_call(gmscore_app, gpuservice) 96allow gmscore_app gpu_service:service_manager find; 97 98# find services that expose both @SystemAPI and normal APIs. 99allow gmscore_app app_api_service:service_manager find; 100allow gmscore_app system_api_service:service_manager find; 101allow gmscore_app audioserver_service:service_manager find; 102allow gmscore_app cameraserver_service:service_manager find; 103allow gmscore_app drmserver_service:service_manager find; 104allow gmscore_app mediadrmserver_service:service_manager find; 105allow gmscore_app mediaextractor_service:service_manager find; 106allow gmscore_app mediametrics_service:service_manager find; 107allow gmscore_app mediaserver_service:service_manager find; 108allow gmscore_app network_watchlist_service:service_manager find; 109allow gmscore_app nfc_service:service_manager find; 110allow gmscore_app oem_lock_service:service_manager find; 111allow gmscore_app persistent_data_block_service:service_manager find; 112allow gmscore_app radio_service:service_manager find; 113allow gmscore_app recovery_service:service_manager find; 114allow gmscore_app stats_service:service_manager find; 115 116# Used by Finsky / Android "Verify Apps" functionality when 117# running "adb install foo.apk". 118allow gmscore_app shell_data_file:file r_file_perms; 119allow gmscore_app shell_data_file:dir r_dir_perms; 120 121# Write to /cache. 122allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms; 123allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms; 124# /cache is a symlink to /data/cache on some devices. Allow reading the link. 125allow gmscore_app cache_file:lnk_file r_file_perms; 126 127# Write to /data/ota_package for OTA packages. 128allow gmscore_app ota_package_file:dir create_dir_perms; 129allow gmscore_app ota_package_file:file create_file_perms; 130 131# Write the checkin metadata to /data/misc_ce/<userid>/checkin 132allow gmscore_app checkin_data_file:dir rw_dir_perms; 133allow gmscore_app checkin_data_file:file create_file_perms; 134 135# Used by Finsky / Android "Verify Apps" functionality when 136# running "adb install foo.apk". 137allow gmscore_app shell_data_file:file r_file_perms; 138allow gmscore_app shell_data_file:dir r_dir_perms; 139 140# b/18504118: Allow reads from /data/anr/traces.txt 141allow gmscore_app anr_data_file:file r_file_perms; 142 143# b/148974132: com.android.vending needs this 144allow gmscore_app priv_app:tcp_socket { read write }; 145 146# b/168059475 Allow GMSCore to read Virtual AB properties to determine 147# if device supports VAB. 148get_prop(gmscore_app, virtual_ab_prop) 149 150# b/186488185: Allow GMSCore to read dck properties 151get_prop(gmscore_app, dck_prop) 152 153# Allow GMSCore to read RKP properties for the purpose of GTS testing. 154get_prop(gmscore_app, remote_prov_prop) 155 156# Allow GmsCore to read Quick Start properties and prevent access from other 157# policies. 158get_prop(gmscore_app, quick_start_prop) 159neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file no_rw_file_perms; 160 161# Do not allow getting permission-protected network information from sysfs. 162neverallow gmscore_app sysfs_net:file *; 163 164# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the 165# ioctl permission, or 3. disallow the socket class. 166neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 167neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; 168neverallow gmscore_app *:{ 169 socket netlink_socket packet_socket key_socket appletalk_socket 170 netlink_tcpdiag_socket netlink_nflog_socket 171 netlink_xfrm_socket netlink_audit_socket 172 netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 173 netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 174 netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 175 netlink_rdma_socket netlink_crypto_socket sctp_socket 176 ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket 177 atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket 178 bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket 179 alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket 180} *; 181